AUDITING AND THE SAP ENVIRONMENT

CLICK TO EDIT MASTER TITLE STYLE. Lots of paragraph AUDITING AND THE SAP ENVIRONMENT Presented by: Phil Lim, Product Manager, ACL Steve Biskie, Managing Director, High Water Advisors

CLICK About the TO Speakers EDIT MASTER TITLE STYLE. Lots of paragraph Phil Lim has over seven years of experience working with compliance and audit groups of Fortune 500 companies, helping them build technology enabled assurance programs to assess, test, and monitor risk. As a Product Manager for ACL Services Ltd., he is currently responsible for the integrated content portfolio. Phil has significant international experience; he was a key ACL consultant in Siemens extensive continuous controls monitoring project -- combining and analyzing purchase to payment data from over 1000 globally decentralized corporate entities daily, aimed at detecting potential FCPA violations. Steve Biskie, co-founder and Managing Director of High Water Advisors, has over two decades of experience optimizing GRC and audit performance through the use of technology. In addition to being a leader in the data analysis space, he is also an expert in audit and compliance issues related to the SAP ERP system. He has authored dozens of articles, was an expert reviewer for the book Security, Audit, and Control Features: SAP ERP (3rd Edition), and in 2011 authored his own book through SAP Press titled Surviving an SAP Audit. He is a CPA, CITP, CISA, CGMA, and a two-time IIA All-Star Speaker. 2

CLICK Agenda TO EDIT MASTER TITLE STYLE. Lots of paragraph Approaches to Data Access Discussion of tools and methodologies pros and cons Dealing with SAP IT (Basis) Concerns Security, Performance, and Data Volumes Common Risk Areas Example Tests Finding Your Data Best practices on executing testing 3

CLICK TO EDIT MASTER TITLE STYLE. Lots of paragraph Approaches to Data Access Discussion of tools and methodologies pros and cons Approaches to Data Access Discussion of tools and methodologies pros and cons Dealing with SAP IT (Basis) Concerns Security, Performance, and Data Volumes Common Risk Areas Example Tests Finding Your Data Best practices on executing testing

CLICK Data Access TO EDIT Approaches MASTER TITLE for SAP STYLE. Lots of paragraph copy goes Standard here, SAP and here SAP and Data here. Browser Reports SAP Query (SQ01/SQVI) or Custom ABAP (SE16/SE16N) SAP BI SAP GRC (Access Control/Process Control/Fraud Management) Self-serve IT Supported ACL Direct Link 5

CLICK Standard TO SAP EDIT Reports MASTER TITLE STYLE What is it? Click to edit Using Master system text reports styles. Lots that business of paragraph uses Pros Independence from IT (self-serve) No additional» Fifth effort level to set up Most are fairly easy to understand Cons Not designed for auditors (difficulty to find suspicious items only) Downloads (even to Excel) require significant re-formatting to use Many are client-specific (limited view across enterprise) Not all relevant data might be housed in SAP 6

CLICK SAP Data TO Browser EDIT MASTER TITLE STYLE What is it? Click to edit Using Master built-in text SAP styles. transaction Lots of codes paragraph to query records at the table level copy goes Examples: here, and SE17, here SE16, and here. SE16N Pros Independence from IT (self-serve) Access nearly» Fifth any level data in the system Cons Only able to perform single-table analysis with basic filters No ability to join (large detail tables cannot be reduced by header data) Limited ability to query large data sets (may time out) Inherent limitations on extracting data from certain important tables Not all relevant data might be housed in SAP Difficult to repeat analysis, schedule extracts, and create audit trail 7

CLICK SAP Query TO EDIT / Custom MASTER ABAP TITLE STYLE What is it? Click to edit Using Master built in text SAP styles. transaction Lots of codes paragraph to query records at the table level copy goes Alternatively, here, and using here and SAP here. AIS Examples : SQ1, SE16, SECR Pros Independence from IT (self-serve) Access nearly any data in the system Cons Only performs basic analysis Limited ability to query large data sets or join multiple tables Not all relevant data might be housed in SAP Difficult to repeat analysis and schedule extracts Lacks audit trail 8

CLICK SAP Query TO EDIT / Custom MASTER ABAP TITLE STYLE What is it? Click to edit Use Master of built-in text SAP styles. Query Lots tools of paragraph (SQ01, SQVI) copy goes SAP here, IT teams and here (both and infrastructure here. and functional teams), help implement custom ABAP queries for audit purposes Pros Access the data you want the way you want it Ability to join tables and perform more complex analysis Cons IT reluctant to grant query transactions due to performance concerns Cost ABAP developers are not cheap Turnaround time for query development Difficult to maintain over time as the business changes (processes and controls change, so do tolerances & thresholds) 9

CLICK SAP BI TO EDIT MASTER TITLE STYLE What is it? Click to edit Using Master SAP BI s text styles. toolset Lots (e.g. of SAP paragraph BusinessObjects) to query Pros Integrated solution Intended for end-user access Ability to access non-sap data (if in BI warehouse) Cons Not designed for Audit BI/BW data often cleansed as part of ETL process Typically Aggregated / summarized data audit and compliance processes often require analysis of detailed transactions Reconciliation to source system can be challenging 10

CLICK SAP GRC TO (Access EDIT MASTER Control/Process TITLE STYLE Control) - consider FM What is it? Using SAP Access Control for security analysis. Lots of paragraph Using SAP Process Control for continuous monitoring copy goes Using here, SAP and Fraud here Management and here. for fraud analytics Pros Integrated» solution Fifth level May be already owned in-house Ability to drill from findings/issues into live SAP data Analysis speed (for customers on the SAP HANA platform) Cons Intended for business management, not audit Designed for productionized testing, not ad-hoc analysis Subject to internal IT change control processes (which take time) HANA platform out of reach for many audit/compliance departments 11

CLICK ACL Direct TO EDIT Link MASTER for SAP TITLE STYLE What is it? Click to edit SAP Master Certified text Add-on styles. for Lots ACL of Analytics paragraph technologies to provide direct access to SAP data Pros Independence from IT (self-serve) Audit trail Repeatable; can schedule extract and analysis Performs complex analysis off of the SAP system, limiting impact to performance Handles large, transactional data volumes Cons Some SAP IT teams resistant to idea (perceived impact on performance/security) Not a magic bullet; you still need to do your auditor due diligence 12

CLICK TO EDIT MASTER TITLE STYLE. Lots of paragraph Dealing with SAP IT (BASIS) Concerns security, performance, data volumes Approaches to Data Access Discussion of tools and methodologies pros and cons Dealing with SAP IT (Basis) Concerns Security, Performance, and Data Volumes Common Risk Areas Example Tests Finding Your Data Best practices on executing testing

CLICK SAP IT TO Teams EDIT MASTER TITLE STYLE. Lots of paragraph Infrastructure SAP IT Team Functional Commonly referred to as BASIS Commonly referred to as Business Analysts / ABAP developers Responsible for security, hardware, installations, code promotions, etc. Create new SAP queries, new SAP functionality, integration 14

CLICK Infrastructure TO EDIT Concerns MASTER TITLE STYLE Whatever tool/methodology you use to access your SAP Data. Lots of paragraph Security Who will have access, and how? How will we prevent unauthorized access? What user permissions do you need? How do you protect data that has been extracted? Production Impact How will we prevent untested queries from running in Production? What is the impact on our system? Data Volumes How much space is going to be used? Network? CPU? 15

CLICK Addressing TO EDIT Security MASTER Concerns TITLE STYLE. Lots of paragraph Security Who will have access, and how? How will we prevent unauthorized access? What user permissions do you need? How do you protect data that has been extracted? ACL Direct Link follows user permissions to tables and is Read Only Server environment can be used to secure both sensitive data and control scripts run on production Data Volumes ACL Direct Link is SAP Certified How much Existing IT policies regarding use space of extract is going tools can also be applied to ACL to be Direct used? Link Network? CPU? 16

CLICK Addressing TO EDIT Production MASTER Impact TITLE Concerns STYLE. Lots of paragraph ACL Direct Link translates to native copy goes ABAP here, code (mostly and straight here and table here. Can set up your query development process to prevent untested code from running in Production dumps, seldom complex joins) Second Comparable level to equivalent SAP tools (e.g. SE16) Runs in background mode Can test performance in a QA environment prior to deploying to production Production Impact How will we prevent untested queries from running in Production? What is the impact on our system? Differing passwords can be used to ensure that only authorized individuals can query from production 17

CLICK Addressing TO EDIT Data MASTER Volume Concerns TITLE STYLE. Lots of paragraph Massive queries are possible (there is no longer a 4GB limit) An auditor can schedule Direct Link queries to run in background and at off-peak times to minimize production impact ACL Direct Link is used by large US Federal Government entities with billions of records You will need space to store queries Data Volumes How much space is going to be used? Network? CPU? 18

CLICK TO EDIT MASTER TITLE STYLE. Lots of paragraph Common Risk Areas example tests in P2P, O2C, GL/R2R Approaches to Data Access Discussion of tools and methodologies pros and cons Dealing with SAP IT (Basis) Concerns Security, Performance, and Data Volumes Common Risk Areas Example Tests Finding Your Data Best practices on executing testing

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE STYLE. Lots of paragraph P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 20

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE P2P STYLE Click to New edit Vendor Master text Top styles. Spend Lots of paragraph Risk Vendors without previous relationships with the organization present a higher risk» Fifth for exposure level to compliance violations. Test Description Identify invoices to vendors created in the investigation period greater than X cumulative spend. Tables used: LFA1, BSAK P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 21

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE P2P STYLE Click to Retroactive edit Master Purchase text styles. Orders Lots of paragraph Risk Circumvention of purchasing controls can result in authorized transactions» Fifth and/or level fraud Test Description In the investigation period, identify invoices with an invoice document date before the Purchase Order creation date. Tables used: EKBE, EKPO P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 22

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE P2P STYLE Click to One edit Time Master Vendors text styles. Lots of paragraph Risk Payments Fourth to one-time-vendors level are typically subject to fewer purchasing controls. Test Description In the investigation period, identify One Time Vendors with more than X spend or more than Y transactions. In the investigation period, identify a sample of one time vendor transactions for review. Tables used: BSEC, LFA1 P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 23

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE P2P STYLE Click to Non-PO edit Master Invoices text styles. Lots of paragraph Risk Payments Fourth made outside level of the purchasing workflow may have fewer controls. Test Description In the investigation period, identify vendors with a total non-po spend greater than a threshold X. Exclude vendors by type such as taxes. In the investigation period, identify any non-po invoices that were created by unauthorized individuals. In the investigation period, identify a sample of non-po invoices for further review. Tables used: EKBE, BSIK, BSAK P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 24

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE P2P STYLE Click to Receiving edit Master vs. text Invoice styles. SOD Lots of paragraph Risk Segregation of duties is somehow not maintained between the receiver of goods/services and the person who created or modified the invoice. Test Description In the investigation period, identify transactions where the receiver was the same person that created or modified the invoice. Tables used: EKBE, BSIK, BSAK P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 25

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE P2P STYLE Click to Invoice edit Master vs. Vendor text styles. Master Lots SOD of paragraph Risk Segregation Fourth of level duties is somehow not maintained between the creator/modifier» Fifth of level vendor information and the person who invoices the vendor Test Description In the investigation period, identify invoices created or modified by the same individual as the vendor creator/modifier. Tables used: EKBE, BSIK, BSAK, LFA1 P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 26

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE P2P STYLE Click to Duplicate edit Master Invoices text styles. Lots of paragraph Risk A miskeying of the invoice number may result in the duplicate payment of an invoice A miskeying Fourth of which level vendor to associate to an invoice may result in a duplicate payment of an invoice Duplicate vendors» Fifth could level result in invoices being paid multiple times Test Description In the investigation period, identify invoices to the same vendor but with different invoice reference document number patterns. In the investigation period, identify invoices with the same amount to different vendors with the same tax identification number. Tables used: BSIK, BSAK, LFA1 P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 27

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE P2P STYLE Click to Early edit Master Payments text styles. Lots of paragraph Risk Payments Fourth made level that do not follow standard payment terms may represent» a significant Fifth level opportunity cost of capital Test Description In the investigation period, identify invoices with an opportunity cost of early payment greater than X, based off of a cost of capital and standard payment terms days Tables used: BSIK, BSAK, REGUH, PAYR P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 28

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE GL/R2R STYLE Click to Activity edit Master in Static text Accounts styles. Lots of paragraph Risk Unusual Fourth manual level postings to accounts may be an indication of fraud or financial misstatement Test Description In the investigation period, identify manual journal entries posted to accounts with infrequent activity. Accounts with infrequent activity are defined by an externally provided list. Tables used: BSIS, BSAS, SKA1, SKAT P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 29

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE GL/R2R STYLE Click to Manual edit Master Journal text Entry styles. Descriptions Lots of paragraph Risk Inadequate documentation of manual journal entries may represent a compliance» Fifth risk level Test Description In the investigation period, identify manual journal entries with descriptions shorter than X characters. Tables used: BSIS, BSAS, SKA1, SKAT P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 30

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE GL/R2R STYLE Click to Invalid edit Master or Infrequent text styles. Transaction Lots of paragraph Code Risk Infrequently used transaction codes may represent a circumvention of controls Test Description In the investigation period, identify journal entries with an SAP transaction code that is infrequently used. Tables used: BSIS, BSAS, SKA1, SKAT P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 31

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE GL/R2R STYLE Click to Keyword edit Master Search text styles. Lots of paragraph Risk Transactions Fourth containing level suspicious keywords may represent a compliance» related Fifth level risk (e.g. FCPA, Sunshine Act, Dodd Frank Conflict Minerals, etc.) Test Description In the investigation period, identify journal entry or account descriptions containing a suspicious keyword. Tables used: BSIS, BSAS, SKA1, SKAT P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 32

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE O2C STYLE. Lots of paragraph Adjustments, Credit Notes, and Write-offs Risk Adjustments, credit notes, and write-offs can be abused or used to cover up fraudulent Fourth activity. level Test Description In the investigation period, identify customers where there are adjustments, credit notes, and write-offs greater than X in total and Y% of their total activity. In the investigation period, identify sales adjustments created or modified by an unauthorized individual. Tables used: BSAD, KNA1 P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 33

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE O2C STYLE Click to Sales edit Master Order Line text vs. styles. Product Lots Price of paragraph Risk Data entry Fourth errors level could result in sales prices below desired prices Excessive» discounts Fifth level could be a sign of bribery, and require investigation for anti-bribery/fcpa purposes Test Description In the investigation period, identify sales order line items where the price varies more than X% or Y amount from the product price. Tables used: VBAK, VBAP, KONV, KONP, KNA1 P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 34

CLICK Target Areas TO EDIT in SAP MASTER ERP TITLE O2C STYLE Click to Customer edit Master Credit text Limits styles. Lots of paragraph Risk Inadequate Fourth review level of customer credit limits can expose an organization to collection» Fifth risk level Test Description In the investigation period, identify customers with credit limits that have not been reviewed in the past X days and/or with unusually high credit limit. Tables used: VBAK, VBAP, KNA1, KNKK P2P Purchase to Payment (MM Module) GL/R2R General Ledger, Record to Report (FI Module) O2C Order to Cash (SD Module) 35

CLICK TO EDIT MASTER TITLE STYLE. Lots of paragraph Finding your Data Best practices on executing testing Approaches to Data Access Discussion of tools and methodologies pros and cons Dealing with SAP IT (Basis) Concerns Security, Performance, and Data Volumes Common Risk Areas Example Tests Finding Your Data Best practices on executing testing

CLICK TIPS for TO Finding EDIT MASTER your Data TITLE STYLE. STEP Lots of #1: paragraph QUICK WINS Choose a specific, narrow risk where there are likely findings. Identify likely data elements required (e.g. clearly vendor number and invoice number would be required for a duplicate invoice test) STEP #2: Use Entity Relational Diagrams Entity ERDs help you visualize which tables you might need as well as other, related tables that might also be helpful STEP #3: Determine actual fields required Use ABAP Dictionary (SAP SE11 Transaction) can be very helpful 37

CLICK SAP P2P TO Entity EDIT MASTER Relational TITLE Diagram STYLE. Lots of paragraph

CLICK SAP P2P TO Entity EDIT MASTER Relational TITLE Diagram STYLE. Lots of paragraph MM FI

CLICK SAP P2P TO Entity EDIT MASTER Relational TITLE Diagram STYLE. Lots One of Time paragraph Vendors Purchase Purchase Orders Requisitions Goods/Services Receipts/ Invoice Receipts Invoice Postings/Payments Vendor Master

CLICK Asking TO For EDIT Help MASTER (and other TITLE Resources) STYLE ACL Consulting Services & Highwater Advisors. Lots of paragraph ACL Audit and Financial Control Solution Address up Third to 30 fraud, level waste, abuse, and financial misstatement risks with pre-defined data analytics Webinar on Navigating the SAP Data Dictionary (and ER Diagram) : http://tinyurl.com/lk97byt SAP Functional (Business Analyst) Teams Assistance with identifying tables you might need, understanding related tables that might also be helpful, and providing insight into non-standard customizations that might impact analysis 41

CLICK TO EDIT MASTER TITLE STYLE. Lots of paragraph Q & A Approaches to Data Access Discussion of tools and methodologies pros and cons Dealing with SAP IT (Basis) Concerns Security, Performance, and Data Volumes Common Risk Areas Example Tests Finding Your Data Best practices on executing testing

CLICK TO EDIT MASTER TITLE STYLE. Lots of paragraph For more information please contact us: Phil Lim phil_lim@acl.com Steve Biskie steve.biskie@ highwateradvisors.com